[Pkg-openldap-devel] Bug#696207: Bug#696207: ldapsearch sets Kerberos principle incorrectly over IPv6

Russ Allbery rra at debian.org
Tue Dec 18 04:35:05 UTC 2012


Brian May <brian at microcomaustralia.com.au> writes:
> On 18 December 2012 15:23, Russ Allbery <rra at debian.org> wrote:

>> I think this is your GSS-API library being excessively helpful and
>> canonicalizing the host identity with DNS for you, and then getting
>> confused by whatever nsswitch is returning.  This isn't really under
>> the control of the application; the GSS-API library will do this under
>> the hood.

> Like I said, same result both from Heimdal and MIT. Is it possible
> both independent implementations made exactly the same mistake?

Absolutely.  Because it's generally not considered a mistake; it may be
mandatory if one is doing DNS load balancing, for example.  That reverse
DNS resolution has been common in Kerberos applications for twenty years
(even though it's a security issue).  There's some movement away from it,
but it's still the normal default for how Kerberos works.

It's possible, given that changing rdns isn't fixing it, that the
canonicalization is being done somewhere upstream.  It would moderately
surprise me if LDAP is doing it, though.  Hm.  Probably will take tracing
through code for how the server identity is derived to figure out what's
doing it.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>



More information about the Pkg-openldap-devel mailing list